def __init__(self, hostname):
super(CLIHost, self).__init__(hostname)
inventory = Inventory()
if inventory.has_option(self.hostname, 'sudo_password'):
self.sudo_password = inventory.get(self.hostname, 'sudo_password')
else:
self.sudo_password = None
if inventory.has_option(self.hostname, 'enable_password'):
self.enable_password = inventory.get(self.hostname, 'enable_password')
else:
self.enable_password = None
self._cmd_out_buf = ''
self._cmd_err_buf = ''
def connect(self):
inventory = Inventory()
address = self.hostname
if inventory.has_option(self.hostname, 'address'):
address = inventory.get(self.hostname, 'address')
ip = None
nb_name = None
try:
socket.inet_aton(address)
ip = address
except OSError as e:
nb_name = address
nb = NetBIOS()
if ip is not None and nb_name is None:
# need to look up the hostname
logger.debug('Looking up NetBIOS name from IP ' + ip)
nb_names = nb.queryIPForName(ip)
if nb_names is None or len(nb_names) < 1:
raise RuntimeError('Cannot connect to host ' + self.hostname +
'; looking up NetBIOS name failed')
nb_name = nb_names[0]
elif ip is None and nb_name is not None:
# not a IPv4 address, need to look up the ip
nb_name = address
logger.debug('Looking up NetBIOS IP from name ' + nb_name)
ips = nb.queryName(nb_name)
if ips is None or len(ips) < 1:
raise RuntimeError('Cannot connect to host ' + self.hostname +
'; looking up NetBIOS IP failed')
ip = ips[0]
nb.close()
if inventory.has_option(self.hostname,
'username') and inventory.has_option(
self.hostname, 'password'):
username = inventory.get(self.hostname, 'username')
password = inventory.get(self.hostname, 'password')
client_machine_name = ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(15))
logger.debug('Using client name of ' + client_machine_name)
logger.info('Connecting to ' + nb_name + ' as ' + username +
' for host ' + self.hostname)
self.connection = SMBHost(username,
password,
client_machine_name,
nb_name,
use_ntlm_v2=True,
sign_options=SMBHost.SIGN_WHEN_SUPPORTED
) #, is_direct_tcp=True)
if not self.connection.connect(ip):
raise RuntimeError('Cannot connect to host ' + self.hostname +
'; connecting via SMB failed')
else:
raise RuntimeError('No method of authenticating with host ' +
self.hostname + ' found')
print(str(self.connection.listPath('ADMIN$', '\\')))
def load(hostname):
inventory = Inventory()
# TODO better connection detection
if not inventory.has_section(hostname) or not inventory.has_option(
hostname, 'connection'):
if hostname == 'localhost':
connection_type = 'local'
else:
connection_type = 'ssh'
else:
connection_type = inventory.get(hostname, 'connection')
# TODO impacket
# TODO SMB?
# TODO PSExec?
if connection_type == 'ssh':
from scap.host.cli.SSHHost import SSHHost
return SSHHost(hostname)
elif connection_type == 'winrm':
if not inventory.has_option(hostname, 'winrm_auth_method'):
raise RuntimeError(
'Host ' + hostname +
' has not specified option: winrm_auth_method')
auth_method = inventory.get(hostname, 'winrm_auth_method')
logger.debug('Using winrm_auth_method ' + auth_method)
if auth_method == 'ssl':
from scap.host.cli.winrm.WinRMHostSSL import WinRMHostSSL
return WinRMHostSSL(hostname)
elif auth_method == 'ntlm':
from scap.host.cli.winrm.WinRMHostNTLM import WinRMHostNTLM
return WinRMHostNTLM(hostname)
elif auth_method == 'kerberos':
from scap.host.cli.winrm.WinRMHostKerberos import WinRMHostKerberos
return WinRMHostKerberos(hostname)
elif auth_method == 'plaintext':
from scap.host.cli.winrm.WinRMHostPlaintext import WinRMHostPlaintext
return WinRMHostPlaintext(hostname)
else:
raise RuntimeError(
'Host ' + hostname +
' specified an invalid winrm_auth_method option')
elif connection_type == 'local':
if sys.platform.startswith('linux'):
from scap.host.cli.local.LinuxLocalHost import LinuxLocalHost
return LinuxLocalHost(hostname)
elif sys.platform == 'win32':
from scap.host.cli.local.WindowsLocalHost import WindowsLocalHost
return WindowsLocalHost(hostname)
else:
raise NotImplementedError('Local connection on ' +
sys.platform +
' is not yet supported')
else:
raise RuntimeError('Unsupported host connection type: ' +
connection_type)
def exec_command(self, cmd, sudo=False, enable=False):
inventory = Inventory()
if sudo:
if not self.sudo_password:
if not inventory.has_option(self.hostname, 'sudo_password'):
self.sudo_password = getpass.getpass('Sudo password for host ' + self.hostname + ': ')
else:
self.sudo_password = inventory.get(self.hostname, 'sudo_password')
cmd = 'sudo -S -- sh -c "' + cmd.replace('"', r'\"') + '"'
# TODO need to do platform detection for sudo prompt
#if sys.platform.startswith('linux'):
self.sudo_prompt = '[sudo]'
#elif sys.platform.startswith('darwin'):
# self.sudo_prompt = 'Password:'******'sudo prompt unknown for platform ' + sys.platform)
elif enable:
if not self.enable_password:
if not inventory.has_option(self.hostname, 'enable_password'):
self.enable_password = getpass.getpass('Enable password for host ' + self.hostname + ': ')
else:
self.enable_password = inventory.get(self.hostname, 'enable_password')
else:
cmd = 'sh -c "' + cmd.replace('"', r'\"') + '"'
logger.debug("Sending command: " + cmd)
chan = self.client.get_transport().open_session()
chan.exec_command(cmd)
chan.settimeout(self.SSH_TIMEOUT)
self.out_buf = ''
self.err_buf = ''
while True:
if chan.recv_ready():
self._recv(chan)
if chan.recv_stderr_ready():
self._recv_stderr(chan, sudo)
if chan.exit_status_ready():
self._recv(chan)
self._recv_stderr(chan, sudo)
break
chan.close()
lines = str.splitlines(self.out_buf)
for i in range(len(lines)):
lines[i] = lines[i].strip()
err_lines = str.splitlines(self.err_buf)
for i in range(len(err_lines)):
err_lines[i] = err_lines[i].strip()
if len(err_lines) > 0:
raise RuntimeError(str(err_lines))
return lines
def exec_command(self, cmd):
inventory = Inventory()
cmd = 'sh -c "' + cmd.replace('"', r'\"') + '"'
logger.debug("Sending command: " + cmd)
chan = self.client.get_transport().open_session()
chan.exec_command(cmd)
chan.settimeout(self.SSH_TIMEOUT)
self._cmd_out_buf = ''
self._cmd_err_buf = ''
while True:
if chan.recv_ready():
try:
self._recv_stdout(chan.recv(1024).decode())
except socket.timeout:
pass
if chan.recv_stderr_ready():
try:
self._recv_stderr(chan.recv_stderr(1024).decode())
except socket.timeout:
pass
if chan.exit_status_ready():
try:
self._recv_stdout(chan.recv(1024).decode())
except socket.timeout:
pass
try:
self._recv_stderr(chan.recv_stderr(1024).decode())
except socket.timeout:
pass
break
status = chan.recv_exit_status()
chan.close()
out_lines = str.splitlines(self._cmd_out_buf)
out_lines = [line.strip('\x0A\x0D') for line in out_lines]
err_lines = [
line.strip('\x0A\x0D')
for line in str.splitlines(self._cmd_err_buf)
]
err_lines = [line.strip('\x0A\x0D') for line in err_lines]
return (status, out_lines, err_lines)
def load(hostname):
inventory = Inventory()
# TODO better connection detection
if not inventory.has_section(hostname) or not inventory.has_option(hostname, 'connection'):
if hostname == 'localhost':
connection_type = 'local'
else:
connection_type = 'ssh'
else:
connection_type = inventory.get(hostname, 'connection')
# TODO impacket
# TODO SMB?
# TODO PSExec?
if connection_type == 'ssh':
from scap.host.cli.SSHHost import SSHHost
return SSHHost(hostname)
elif connection_type == 'winrm':
if not inventory.has_option(hostname, 'winrm_auth_method'):
raise RuntimeError('Host ' + hostname + ' has not specified option: winrm_auth_method')
auth_method = inventory.get(hostname, 'winrm_auth_method')
logger.debug('Using winrm_auth_method ' + auth_method)
if auth_method == 'ssl':
from scap.host.cli.winrm.WinRMHostSSL import WinRMHostSSL
return WinRMHostSSL(hostname)
elif auth_method == 'ntlm':
from scap.host.cli.winrm.WinRMHostNTLM import WinRMHostNTLM
return WinRMHostNTLM(hostname)
elif auth_method == 'kerberos':
from scap.host.cli.winrm.WinRMHostKerberos import WinRMHostKerberos
return WinRMHostKerberos(hostname)
elif auth_method == 'plaintext':
from scap.host.cli.winrm.WinRMHostPlaintext import WinRMHostPlaintext
return WinRMHostPlaintext(hostname)
else:
raise RuntimeError('Host ' + hostname + ' specified an invalid winrm_auth_method option')
elif connection_type == 'local':
if sys.platform.startswith('linux'):
from scap.host.cli.local.LinuxLocalHost import LinuxLocalHost
return LinuxLocalHost(hostname)
elif sys.platform == 'win32':
from scap.host.cli.local.WindowsLocalHost import WindowsLocalHost
return WindowsLocalHost(hostname)
else:
raise NotImplementedError('Local connection on ' + sys.platform + ' is not yet supported')
else:
raise RuntimeError('Unsupported host connection type: ' + connection_type)
def exec_command(self, cmd, elevate=False, encoding='cp437'):
inventory = Inventory()
logger.debug("Sending command: " + cmd)
if elevate:
ctypes.windll.shell32.ShellExecuteW(None, "runas", 'cmd', '/c "' + cmd.replace('"', r'\"') + '"', None, 1)
else:
p = subprocess.run(cmd,
stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE,
shell=True)
#logger.debug('Got stdout: ' + str(p.stdout))
#logger.debug('Got stderr: ' + str(p.stderr))
lines = str.splitlines(p.stdout.replace(b'\r\r', b'\r').decode(encoding))
err_lines = str.splitlines(p.stderr.replace(b'\r\r', b'\r').decode(encoding))
#logger.debug('stdout lines: ' + str(lines))
#logger.debug('stderr lines: ' + str(err_lines))
if len(err_lines) > 0:
raise RuntimeError(str(err_lines))
return lines
def __init__(self, hostname):
super(CLIHost, self).__init__(hostname)
inventory = Inventory()
if inventory.has_option(self.hostname, 'sudo_password'):
self.sudo_password = inventory.get(self.hostname, 'sudo_password')
else:
self.sudo_password = None
if inventory.has_option(self.hostname, 'enable_password'):
self.enable_password = inventory.get(self.hostname,
'enable_password')
else:
self.enable_password = None
self._cmd_out_buf = ''
self._cmd_err_buf = ''
def exec_command(self, cmd, encoding='cp437'):
inventory = Inventory()
logger.debug("Sending command: " + cmd)
p = subprocess.run(cmd,
stdout=subprocess.PIPE,
stdin=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
#logger.debug('Got stdout: ' + str(p.stdout))
#logger.debug('Got stderr: ' + str(p.stderr))
out_lines = str.splitlines(
p.stdout.replace(b'\r\r', b'\r').decode(encoding))
out_lines = [line.strip('\x0A\x0D') for line in out_lines]
err_lines = str.splitlines(
p.stderr.replace(b'\r\r', b'\r').decode(encoding))
err_lines = [line.strip('\x0A\x0D') for line in err_lines]
#logger.debug('stdout lines: ' + str(out_lines))
#logger.debug('stderr lines: ' + str(err_lines))
return (p.returncode, out_lines, err_lines)
import pytest
import uuid
from scap.Collector import ArgumentException
from scap.Host import Host
from scap.model.cpe_matching_2_3.CPE import CPE
from scap.Inventory import Inventory
logger = logging.getLogger(__name__)
filename = str(
pathlib.Path(os.path.expanduser('~')) / '.pyscap' / 'inventory.ini')
try:
with open(filename, 'r') as fp:
logger.debug('Loading inventory from ' + filename)
Inventory().readfp(fp)
except IOError:
logger.error('Could not read from inventory file ' + filename)
host = Host.load('localhost')
@pytest.mark.parametrize("oval_family, env_var", (
('linux', 'HOME'),
('windows', 'USERNAME'),
))
def test_exists(oval_family, env_var):
if host.facts['oval_family'] != oval_family:
pytest.skip('Does not apply to platform')
c = host.load_collector('EnvironmentCollector', {})
def connect(self):
inventory = Inventory()
if inventory.has_option(self.hostname, 'address'):
address = inventory.get(self.hostname, 'address')
else:
address = self.hostname
logger.debug('Using address ' + address)
if inventory.has_option(self.hostname, 'scheme'):
scheme = inventory.get(self.hostname, 'scheme')
else:
scheme = 'http'
logger.debug('Using url scheme ' + scheme)
if inventory.has_option(self.hostname, 'port'):
port = inventory.get(self.hostname, 'port')
else:
if scheme == 'http':
port = '5985'
elif scheme == 'https':
port = '5986'
else:
raise('Invalid WinRM scheme: ' + scheme)
logger.debug('Using port ' + port)
if not inventory.has_option(self.hostname, 'username'):
raise RuntimeError('Host ' + self.hostname + ' has not specified option: username')
username = inventory.get(self.hostname, 'username')
if inventory.has_option(self.hostname, 'kerberos_realm'):
username = username + '@' + inventory.get(self.hostname, 'kerberos_realm')
logger.debug('Using username ' + username)
if inventory.has_option(self.hostname, 'kerberos_delegation'):
kerberos_delegation = inventory.get(self.hostname, 'kerberos_delegation')
else:
kerberos_delegation = False
if inventory.has_option(self.hostname, 'kerberos_hostname_override'):
kerberos_hostname_override = inventory.get(self.hostname, 'kerberos_hostname_override')
else:
kerberos_hostname_override = None
self.protocol = Protocol(
endpoint=scheme + '://' + address + ':' + port + '/wsman',
transport='kerberos',
username=username,
kerberos_delegation=kerberos_delegation,
kerberos_hostname_override=kerberos_hostname_override)
try:
self.shell_id = self.protocol.open_shell()
except Exception as e:
logger.warning(str(e))
def connect(self):
self.client = paramiko.client.SSHClient()
self.client.load_system_host_keys()
try:
# TODO windows/linux home instead of ~
logger.debug('Read ssh host keys from ~/.pyscap/ssh_host_keys')
self.client.load_host_keys(os.path.expanduser('~/.pyscap/ssh_host_keys'))
except:
logger.warning("Couldn't read ssh host keys")
self.client.set_missing_host_key_policy(self.AskHostKeyPolicy())
inventory = Inventory()
if inventory.has_option(self.hostname, 'ssh_port'):
port = inventory.get(self.hostname, 'ssh_port')
else:
port = 22
self.sudo_password = None
if inventory.has_option(self.hostname, 'ssh_username') and inventory.has_option(self.hostname, 'ssh_password'):
self.client.connect(self.hostname, port=port,
username=inventory.get(self.hostname, 'ssh_username'),
password=inventory.get(self.hostname, 'ssh_password'))
if inventory.has_option(self.hostname, 'sudo_password'):
self.sudo_password = inventory.get(self.hostname, 'sudo_password')
else:
self.sudo_password = inventory.get(self.hostname, 'ssh_password')
elif inventory.has_option(self.hostname, 'ssh_private_key_filename'):
if inventory.has_option(self.hostname, 'ssh_private_key_file_password'):
self.client.connect(self.hostname, port=port,
key_filename=inventory.get(self.hostname, 'ssh_private_key_filename'),
password=inventory.get(self.hostname, 'ssh_private_key_file_password'))
else:
try:
self.client.connect(self.hostname, port=port,
key_filename=inventory.get(self.hostname, 'ssh_private_key_filename'))
except PasswordRequiredException:
# retry with password
ssh_private_key_file_password = getpass.getpass('Password for private key file ' +
inventory.get(self.hostname, 'ssh_private_key_filename') + ': ')
self.client.connect(self.hostname, port=port,
key_filename=inventory.get(self.hostname, 'ssh_private_key_filename'),
password=ssh_private_key_file_password)
else:
ssh_username = input('Username for host ' + self.hostname + ': ')
if ssh_username.strip() == '':
raise RuntimeError('No method of authenticating with host ' + self.hostname + ' found')
ssh_password = getpass.getpass('Password for host ' + self.hostname + ': ')
if inventory.has_option(self.hostname, 'sudo_password'):
self.sudo_password = inventory.get(self.hostname, 'sudo_password')
else:
self.sudo_password = ssh_password
self.client.connect(self.hostname, port=port, username=ssh_username, password=ssh_password)
def main():
import argparse
import atexit
from io import StringIO
import locale
import logging
import os
import pathlib
import pprint
import sys
import time
import xml.dom.minidom
import xml.etree.ElementTree as ET
from scap import register_namespaces
from scap.ColorFormatter import ColorFormatter
from scap.Model import Model
from scap.Host import Host
from scap.Inventory import Inventory
from scap.Reporter import Reporter
# set up logging
rootLogger = logging.getLogger()
ch = logging.StreamHandler()
fh = logging.FileHandler(filename="pyscap.log", mode='w')
fh_formatter = logging.Formatter(
"%(asctime)s - %(name)s - %(levelname)s - %(message)s")
fh.setFormatter(fh_formatter)
ch_formatter = ColorFormatter(
"%(asctime)s - %(name)s - %(levelname)s - %(message)s")
ch.setFormatter(ch_formatter)
rootLogger.addHandler(ch)
rootLogger.addHandler(fh)
rootLogger.setLevel(logging.DEBUG)
ch.setLevel(logging.WARNING)
# report start time & end time
logger = logging.getLogger(__name__)
logger.debug('Start: ' + time.asctime(time.localtime()))
register_namespaces()
output = None
def end_func():
if output is not None:
output.close()
logger.debug('End: ' + time.asctime(time.localtime()))
atexit.register(end_func)
# set up argument parsing
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument('--version',
'-V',
action='version',
version='%(prog)s 1.0')
arg_parser.add_argument('--verbose', '-v', action='count')
arg_parser.add_argument('--output', '-o', nargs='?', default='-')
arg_parser.add_argument('--inventory', nargs='+')
arg_parser.add_argument('--host', nargs='+')
group = arg_parser.add_mutually_exclusive_group()
group.add_argument('--list-hosts',
help='outputs a list of the hosts',
action='store_true')
group.add_argument('--parse',
help='parse the supplied files',
nargs='+',
type=argparse.FileType('r'))
group.add_argument('--detect',
help='detect facts about the host',
action='store_true')
group.add_argument('--collect',
help='collect system characteristics about the host',
action='store_true')
group.add_argument('--benchmark',
help='benchmark hosts and produce a report',
action='store_true')
# group.add_argument('--test', help='perform a test on the selected hosts', nargs='+')
# pre-parse arguments
args = arg_parser.parse_known_args()
if len(args) <= 0:
arg_parser.error('No valid operation was given')
# change verbosity
if args[0].verbose:
if (args[0].verbose == 1):
ch.setLevel(logging.INFO)
logger.debug('Set console logging level to INFO')
elif (args[0].verbose == 2):
ch.setLevel(logging.DEBUG)
logger.debug('Set console logging level to DEBUG')
elif (args[0].verbose >= 3):
ch.setLevel(logging.NOTSET)
logger.debug('Set console logging level to NOTSET')
# set up the modes
if args[0].list_hosts:
logger.info("List hosts operation")
elif args[0].parse:
logger.info('File parsing operation')
elif args[0].detect:
logger.info("Detect operation")
elif args[0].collect:
logger.info("Collect operation")
arg_parser.add_argument('--content', required=True, nargs='+')
elif args[0].benchmark:
logger.info("Benchmark operation")
arg_parser.add_argument('--content', required=True, nargs='+')
arg_parser.add_argument('--data_stream', nargs=1)
arg_parser.add_argument('--checklist', nargs=1)
arg_parser.add_argument('--profile', nargs=1)
arg_parser.add_argument('--pretty', action='store_true')
else:
arg_parser.error('No valid operation was given')
# final argument parsing
args = vars(arg_parser.parse_args())
for arg in args:
logger.debug('Argument: ' + arg + ' = ' + str(args[arg]))
# expand the hosts
inventory = Inventory()
if args['inventory'] is not None:
for filename in args['inventory']:
try:
with open(filename, 'r') as fp:
logger.debug('Loading inventory from ' + filename)
Inventory().readfp(fp)
except IOError:
logger.error('Could not read from inventory file ' + filename)
else:
filename = str(
pathlib.Path(os.path.expanduser('~')) / '.pyscap' /
'inventory.ini')
try:
with open(filename, 'r') as fp:
logger.debug('Loading inventory from ' + filename)
Inventory().readfp(fp)
except IOError:
logger.error('Could not read from inventory file ' + filename)
if args['host'] is None or len(args['host']) == 0:
arg_parser.error('No host specified (--host)')
hosts = []
for hostname in args['host']:
host = Host.load(hostname)
hosts.append(host)
# open output if it's not stdout
if args['output'] != '-':
output = open(args['output'], mode='wb')
else:
output = sys.stdout.buffer
detection_collectors = [
'UniqueIdCollector',
'CpeCollector',
'FqdnCollector',
'HostnameCollector',
'NetworkConnectionCollector',
'NetworkServiceCollector',
'IdentityCollector',
]
if args['list_hosts']:
print('Hosts: ')
for host in hosts:
print(host.hostname)
elif args['parse']:
for uri in args['parse']:
logger.debug('Loading content file: ' + uri)
with open(uri, mode='r', encoding='utf_8') as f:
content = ET.parse(f).getroot()
model = Model.load(None, content)
logger.debug('Loaded ' + uri + ' successfully')
elif args['detect']:
for host in hosts:
host.connect()
# run detection collectors
for col_name in detection_collectors:
col = host.load_collector(col_name, {})
col.collect()
host.disconnect()
logger.info('Host detection dump:')
pp = pprint.PrettyPrinter(width=132)
pp.pprint(host.facts)
elif args['collect']:
if args['content'] is None or len(args['content']) == 0:
arg_parser.error('No content specified (--content)')
# this mode will collect oval system characteristics
for host in hosts:
host.connect()
# run detection collectors
for col_name in detection_collectors:
col = host.load_collector(col_name, {})
col.collect()
raise NotImplementedError(
'System characteristic collection is not implemented')
host.disconnect()
elif args['benchmark']:
### Loading.Import
# Import the XCCDF document into the program and build an initial internal
# representation of the Benchmark object, Groups, Rules, and other objects.
# If the file cannot be read or parsed, then Loading fails. (At the
# beginning of this step, any inclusion processing specified with XInclude
# elements should be performed. The resulting XML information set should be
# validated against the XCCDF schema given in Appendix A.) Go to the next
# step: Loading.Noticing.
if args['content'] is None or len(args['content']) == 0:
arg_parser.error('No content specified (--content)')
from scap.model.xccdf_1_1.BenchmarkType import BenchmarkType as xccdf_1_1_BenchmarkType
from scap.model.xccdf_1_2.BenchmarkType import BenchmarkType as xccdf_1_2_BenchmarkType
benchmark_model = None
for uri in args['content']:
logger.debug('Loading content file: ' + uri)
with open(uri, mode='r', encoding='utf_8') as f:
content = ET.parse(f).getroot()
model = Model.load(None, content)
if isinstance(model, xccdf_1_1_BenchmarkType) \
or isinstance(model, xccdf_1_2_BenchmarkType):
benchmark_model = model
for host in hosts:
host.connect()
# run detection collectors
for col_name in detection_collectors:
col = host.load_collector(col_name, {})
col.collect()
benchmark_model.noticing()
benchmark_model.selected_profiles = []
if args['profile'] is None or len(args['profile']) == 0:
# check them all
benchmark_model.selected_profiles.extend(
benchmark_model.profiles.keys())
else:
for profile in args['profile']:
if profile not in list(benchmark_model.profiles.keys()):
raise ValueError(
'Unable to select non-existent profile: ' +
profile + ' Available profiles: ' +
str(benchmark_model.profiles.keys()))
benchmark_model.selected_profiles.append(profile)
benchmark_model.resolve()
benchmark_model.process(host)
host.disconnect()
rep = Reporter.load(args, model)
report = ET.ElementTree(element=rep.report(hosts))
logger.debug('Preferred encoding: ' + locale.getpreferredencoding())
sio = StringIO()
report.write(sio, encoding='unicode', xml_declaration=True)
sio.write("\n")
if args['pretty']:
pretty_xml = xml.dom.minidom.parseString(
sio.getvalue()).toprettyxml(indent=' ')
output.write(pretty_xml.encode(locale.getpreferredencoding()))
else:
output.write(sio.getvalue().encode(locale.getpreferredencoding()))
else:
arg_parser.error('No valid operation was given')
def connect(self):
inventory = Inventory()
address = self.hostname
if inventory.has_option(self.hostname, 'address'):
address = inventory.get(self.hostname, 'address')
def connect(self):
inventory = Inventory()
if inventory.has_option(self.hostname, 'address'):
address = inventory.get(self.hostname, 'address')
else:
address = self.hostname
logger.debug('Using address ' + address)
if inventory.has_option(self.hostname, 'scheme'):
scheme = inventory.get(self.hostname, 'scheme')
else:
scheme = 'https'
logger.debug('Using url scheme ' + scheme)
if inventory.has_option(self.hostname, 'port'):
port = inventory.get(self.hostname, 'port')
else:
if scheme == 'http':
port = '5985'
elif scheme == 'https':
port = '5986'
else:
raise ('Invalid WinRM scheme: ' + scheme)
logger.debug('Using port ' + port)
if not inventory.has_option(self.hostname,
'cert_pem') and not inventory.has_option(
self.hostname, 'cert_key_pem'):
# try basic auth
if not inventory.has_option(self.hostname, 'username'):
raise RuntimeError('Host ' + self.hostname +
' has not specified option: username')
username = inventory.get(self.hostname, 'username')
if inventory.has_option(self.hostname, 'domain'):
username = inventory.get(self.hostname,
'domain') + '\\' + username
logger.debug('Using username ' + username)
if not inventory.has_option(self.hostname, 'password'):
raise RuntimeError('Host ' + self.hostname +
' has not specified option: password')
password = inventory.get(self.hostname, 'password')
self.protocol = Protocol(endpoint='https://' + address + ':' +
port + '/wsman',
transport='ssl',
username=username,
password=password)
else:
if not inventory.has_option(self.hostname, 'cert_pem'):
raise RuntimeError('Host ' + self.hostname +
' has not specified option: cert_pem')
cert_pem = inventory.get(self.hostname, 'cert_pem')
if not inventory.has_option(self.hostname, 'cert_key_pem'):
raise RuntimeError('Host ' + self.hostname +
' has not specified option: cert_key_pem')
cert_key_pem = inventory.get(self.hostname, 'cert_key_pem')
if inventory.has_option(self.hostname, 'server_cert_validation'):
server_cert_validation = inventory.get(
self.hostname, 'server_cert_validation')
else:
server_cert_validation = 'validate'
cert_key_pem = inventory.get(self.hostname, 'cert_key_pem')
self.protocol = Protocol(
endpoint='https://' + address + ':' + port + '/wsman',
transport='ssl',
cert_pem=cert_pem,
cert_key_pem=cert_key_pem,
server_cert_validation=server_cert_validation)
try:
self.shell_id = self.protocol.open_shell()
except Exception as e:
logger.warning(str(e))
def connect(self):
self.client = paramiko.client.SSHClient()
self.client.load_system_host_keys()
try:
# TODO windows/linux home instead of ~
logger.debug('Read ssh host keys from ~/.pyscap/ssh_host_keys')
self.client.load_host_keys(
os.path.expanduser('~/.pyscap/ssh_host_keys'))
except:
logger.warning("Couldn't read ssh host keys")
self.client.set_missing_host_key_policy(self.AskHostKeyPolicy())
inventory = Inventory()
if inventory.has_option(self.hostname, 'ssh_port'):
port = inventory.get(self.hostname, 'ssh_port')
else:
port = 22
self.sudo_password = None
if inventory.has_option(self.hostname,
'ssh_username') and inventory.has_option(
self.hostname, 'ssh_password'):
self.client.connect(self.hostname,
port=port,
username=inventory.get(self.hostname,
'ssh_username'),
password=inventory.get(self.hostname,
'ssh_password'))
if inventory.has_option(self.hostname, 'sudo_password'):
self.sudo_password = inventory.get(self.hostname,
'sudo_password')
else:
self.sudo_password = inventory.get(self.hostname,
'ssh_password')
elif inventory.has_option(self.hostname, 'ssh_private_key_filename'):
if inventory.has_option(self.hostname,
'ssh_private_key_file_password'):
self.client.connect(
self.hostname,
port=port,
key_filename=inventory.get(self.hostname,
'ssh_private_key_filename'),
password=inventory.get(self.hostname,
'ssh_private_key_file_password'))
else:
try:
self.client.connect(self.hostname,
port=port,
key_filename=inventory.get(
self.hostname,
'ssh_private_key_filename'))
except PasswordRequiredException:
# retry with password
ssh_private_key_file_password = getpass.getpass(
'Password for private key file ' + inventory.get(
self.hostname, 'ssh_private_key_filename') + ': ')
self.client.connect(self.hostname,
port=port,
key_filename=inventory.get(
self.hostname,
'ssh_private_key_filename'),
password=ssh_private_key_file_password)
else:
ssh_username = input('Username for host ' + self.hostname + ': ')
if ssh_username.strip() == '':
raise RuntimeError('No method of authenticating with host ' +
self.hostname + ' found')
ssh_password = getpass.getpass('Password for host ' +
self.hostname + ': ')
if inventory.has_option(self.hostname, 'sudo_password'):
self.sudo_password = inventory.get(self.hostname,
'sudo_password')
else:
self.sudo_password = ssh_password
self.client.connect(self.hostname,
port=port,
username=ssh_username,
password=ssh_password)
try:
from scap.collector.UNameCollector import UNameCollector
UNameCollector(self, {}).collect()
except:
# uname didn't work
raise NotImplementedError('Unable to run uname on host: ' +
self.host.hostname)
if self.facts['uname'].startswith('Linux'):
self.facts['oval_family'] = 'linux'
# elif uname.startswith('Darwin'):
# pass
elif self.facts['uname'].startswith('Windows NT'):
self.facts['oval_family'] = 'windows'
else:
raise NotImplementedError(
'Host detection has not been implemented for uname: ' +
self.facts['uname'] + ' on ' + self.hostname)
def connect(self):
self.client = paramiko.client.SSHClient()
self.client.load_system_host_keys()
try:
# TODO windows/linux home instead of ~
logger.debug('Read ssh host keys from ~/.pyscap/ssh_host_keys')
self.client.load_host_keys(os.path.expanduser('~/.pyscap/ssh_host_keys'))
except:
logger.warning("Couldn't read ssh host keys")
self.client.set_missing_host_key_policy(self.AskHostKeyPolicy())
inventory = Inventory()
if inventory.has_option(self.hostname, 'ssh_port'):
port = inventory.get(self.hostname, 'ssh_port')
else:
port = 22
if inventory.has_option(self.hostname, 'ssh_username') and inventory.has_option(self.hostname, 'ssh_password'):
self.client.connect(self.hostname, port=port,
username=inventory.get(self.hostname, 'ssh_username'),
password=inventory.get(self.hostname, 'ssh_password'))
elif inventory.has_option(self.hostname, 'ssh_private_key_filename'):
if inventory.has_option(self.hostname, 'ssh_private_key_file_password'):
self.client.connect(self.hostname, port=port,
key_filename=inventory.get(self.hostname, 'ssh_private_key_filename'),
password=inventory.get(self.hostname, 'ssh_private_key_file_password'))
else:
try:
self.client.connect(self.hostname, port=port,
key_filename=inventory.get(self.hostname, 'ssh_private_key_filename'))
except PasswordRequiredException:
# retry with password
ssh_private_key_file_password = getpass.getpass('Password for private key file ' +
inventory.get(self.hostname, 'ssh_private_key_filename') + ': ')
self.client.connect(self.hostname, port=port,
key_filename=inventory.get(self.hostname, 'ssh_private_key_filename'),
password=ssh_private_key_file_password)
else:
ssh_username = input('Username for host ' + self.hostname + ': ')
if ssh_username.strip() == '':
raise RuntimeError('No method of authenticating with host ' + self.hostname + ' found')
ssh_password = getpass.getpass('Password for host ' + self.hostname + ': ')
self.client.connect(self.hostname, port=port, username=ssh_username, password=ssh_password)
from scap.collector.UNameCollector import UNameCollector
UNameCollector(self, {}).collect()
if self.facts['uname']['kernel_name'] == 'Linux':
self.facts['oval_family'] = 'linux'
# elif uname.startswith('Darwin'):
# TODO
elif self.facts['uname']['kernel_name'] == 'Windows NT':
self.facts['oval_family'] = 'windows'
else:
raise NotImplementedError('Host detection has not been implemented for uname: ' + self.facts['uname'] + ' on ' + self.hostname)
# # test argument is already defined
# arg_parser.add_argument('--object', required=True, nargs='+')
# arg_parser.add_argument('--state', required=True, nargs='+')
else:
arg_parser.error('No valid operation was given')
# final argument parsing
args = vars(arg_parser.parse_args())
# configure ElementTree
for k, v in list(NAMESPACES.items()):
ET.register_namespace(v, k)
# expand the hosts
if args['collect'] or args['benchmark'] or args['list_hosts']:
inventory = Inventory()
for filename in args['inventory']:
try:
with open(filename, 'r') as fp:
logger.debug('Loading inventory from ' + filename)
Inventory().readfp(fp)
except IOError:
logger.error('Could not read from inventory file ' + filename)
if len(args['host']) == 0:
arg_parser.error('No host specified (--host)')
hosts = []
for hostname in args['host']:
host = Host.load(hostname)
hosts.append(host)
def exec_command(self, cmd, sudo=False):
inventory = Inventory()
if sudo:
if hasattr(self, 'sudo_password'):
pass
elif inventory.has_option(self.hostname, 'sudo_password'):
self.sudo_password = inventory.get(self.hostname,
'sudo_password')
else:
self.sudo_password = getpass.getpass(
'Sudo password for host ' + self.hostname + ': ')
cmd = 'sudo -S -- sh -c "' + cmd.replace('"', r'\"') + '"'
if sys.platform.startswith('linux'):
sudo_prompt = '[sudo]'
elif sys.platform.startswith('darwin'):
sudo_prompt = 'Password:'******'sudo prompt unknown for platform ' +
sys.platform)
logger.debug("Sending command: " + cmd)
p = Popen(cmd,
stdout=PIPE,
stdin=PIPE,
stderr=PIPE,
shell=True,
universal_newlines=True)
# note; can't use p.communicate; have to figure out if we get a prompt
# because there isn't if within sudo timeout
out_buf = ''
err_buf = ''
sel = selectors.DefaultSelector()
sel.register(p.stdout, selectors.EVENT_READ)
sel.register(p.stderr, selectors.EVENT_READ)
while True:
ready_list = sel.select(10)
if len(ready_list) == 0:
# timeout
p.stdin.close()
break
for (key, events) in ready_list:
if key.fileobj is p.stdout and events & selectors.EVENT_READ:
outs = p.stdout.buffer.read1(1024).decode()
if len(outs) > 0:
logger.debug('Got stdout: ' + outs)
out_buf += outs
elif key.fileobj is p.stderr and events & selectors.EVENT_READ:
errs = p.stderr.buffer.read1(1024).decode()
if len(errs) > 0:
logger.debug('Got stderr: ' + errs)
err_buf += errs
if sudo and err_buf.startswith(sudo_prompt):
logger.debug("Sending sudo_password...")
p.stdin.write(self.sudo_password + "\n")
p.stdin.close()
err_buf = ''
if p.stdout.closed and p.stderr.closed:
p.stdin.close()
p.poll()
break
if p.poll() is not None:
p.stdin.close()
break
if not p.stdout.closed:
outs = p.stdout.buffer.read1(1024).decode()
if len(outs) > 0:
logger.debug('Got extra-loop stdout: ' + outs)
out_buf += outs
if not p.stderr.closed:
errs = p.stderr.buffer.read1(1024).decode()
if len(errs) > 0:
logger.debug('Got extra-loop stderr: ' + errs)
err_buf += errs
if sudo and err_buf.startswith(sudo_prompt):
logger.debug("Sending sudo_password...")
p.stdin.write(self.sudo_password + "\n")
p.stdin.close()
err_buf = ''
sel.unregister(p.stdout)
sel.unregister(p.stderr)
sel.close()
out_lines = str.splitlines(out_buf)
out_lines = [line.strip('\x0A\x0D') for line in out_lines]
err_lines = str.splitlines(err_buf)
err_lines = [line.strip('\x0A\x0D') for line in err_lines]
return (p.returncode, out_lines, err_lines)
